Okay, finally I found a (not the) solution. I set the require SSL flag for SSO. This was just mentioned by IBM as standalone solution for the secure flag. How to get there:
Security -> Global Security -> Web- and SIP-Security -> Single Sign-on (SSO) -> check "Requires SSL"
This has been done on IBM WebSphere Application Server 7 with fixpack 7.0.0.27. Maybe the solution from IBM was relying to an older version and they changed the behvaiour in the meanwhile.